Try it using Invoke-Atomic

Device Driver Discovery

Description from ATT&CK

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as 

1

driverquery.exe
and the 
1

EnumDeviceDrivers()
API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.(Citation: Microsoft Registry Drivers)

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within 

1

/dev
or using utilities such as 
1

lsmod
and 
1

modinfo
.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)

Atomic Tests

Atomic Test #1 - Device Driver Discovery

Displays a list of installed device drivers on the local computer and their properties. Threat actors use this command to enumerate the existing drivers on the computer. Parameters: /v /fo list - Displays verbose output in a list format - the /v parameter is not valid for signed drivers /si /fo list - Provides information about signed drivers and outputs it in a list format

Supported Platforms: windows

auto_generated_guid: 235b30a2-e5b1-441f-9705-be6231c88ddd

Inputs:

None

Attack Commands: Run with powershell!

1
2

driverquery /v /fo list
driverquery /si /fo list

source